d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

Analysis

max time kernel
168s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
Size

1016KB
MD5

4402b79a264a2159e792fe161ccdc510
SHA1

5a3f8dd7943dcbba109bc6f31b966197a817df6b
SHA256

d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671
SHA512

98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb
SSDEEP

6144:QIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU6ESl:QIXsgtvm1De5YlOx6lzBH46Up

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

xzsqxqazhjc.exewchpbgo.exewchpbgo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wchpbgo.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

xzsqxqazhjc.exewchpbgo.exewchpbgo.exexzsqxqazhjc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xzsqxqazhjc.exe

Adds policy Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xzsqxqazhjc.exewchpbgo.exewchpbgo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe"	xzsqxqazhjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "wofzxoixxllvwcrskra.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "yslhhawnpfhtwevysbmgz.exe"	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "yslhhawnpfhtwevysbmgz.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "vkypkypbyjgnloay.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslhhawnpfhtwevysbmgz.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshzvkcpnzxfeivuk.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofzxoixxllvwcrskra.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "jcupogbrshitvcsunvfy.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "cshzvkcpnzxfeivuk.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofzxoixxllvwcrskra.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "lcsliyrferqzzessjp.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshzvkcpnzxfeivuk.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofzxoixxllvwcrskra.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "lcsliyrferqzzessjp.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsliyrferqzzessjp.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "vkypkypbyjgnloay.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "wofzxoixxllvwcrskra.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "yslhhawnpfhtwevysbmgz.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjxpaoxrztxs = "jcupogbrshitvcsunvfy.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcupogbrshitvcsunvfy.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemxmuflch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe"	wchpbgo.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

xzsqxqazhjc.exewchpbgo.exewchpbgo.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wchpbgo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wchpbgo.exe

Executes dropped EXE 4 IoCs

Processes:

xzsqxqazhjc.exewchpbgo.exewchpbgo.exexzsqxqazhjc.exe

pid process

3608 xzsqxqazhjc.exe
1920 wchpbgo.exe
2768 wchpbgo.exe
3616 xzsqxqazhjc.exe

pid	process
3608	xzsqxqazhjc.exe
1920	wchpbgo.exe
2768	wchpbgo.exe
3616	xzsqxqazhjc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exexzsqxqazhjc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	xzsqxqazhjc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wchpbgo.exewchpbgo.exexzsqxqazhjc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "vkypkypbyjgnloay.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qerhboeplvrxuwh = "cshzvkcpnzxfeivuk.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qajvlugnfld = "jcupogbrshitvcsunvfy.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcupogbrshitvcsunvfy.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkypkypbyjgnloay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslhhawnpfhtwevysbmgz.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nambugvfajejfg = "yslhhawnpfhtwevysbmgz.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cshzvkcpnzxfeivuk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcupogbrshitvcsunvfy.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cshzvkcpnzxfeivuk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshzvkcpnzxfeivuk.exe"	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wchpbgo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkypkypbyjgnloay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshzvkcpnzxfeivuk.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkypkypbyjgnloay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshzvkcpnzxfeivuk.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nambugvfajejfg = "wofzxoixxllvwcrskra.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qerhboeplvrxuwh = "lcsliyrferqzzessjp.exe ."	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qerhboeplvrxuwh = "lcsliyrferqzzessjp.exe ."	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nambugvfajejfg = "wofzxoixxllvwcrskra.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "cshzvkcpnzxfeivuk.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qerhboeplvrxuwh = "vkypkypbyjgnloay.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qerhboeplvrxuwh = "lcsliyrferqzzessjp.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nambugvfajejfg = "yslhhawnpfhtwevysbmgz.exe"	wchpbgo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cshzvkcpnzxfeivuk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "yslhhawnpfhtwevysbmgz.exe ."	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cshzvkcpnzxfeivuk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsliyrferqzzessjp.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qajvlugnfld = "yslhhawnpfhtwevysbmgz.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "wofzxoixxllvwcrskra.exe ."	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qajvlugnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcupogbrshitvcsunvfy.exe"	xzsqxqazhjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qajvlugnfld = "lcsliyrferqzzessjp.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nambugvfajejfg = "wofzxoixxllvwcrskra.exe"	wchpbgo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkypkypbyjgnloay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofzxoixxllvwcrskra.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofzxoixxllvwcrskra.exe ."	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkypkypbyjgnloay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshzvkcpnzxfeivuk.exe ."	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nambugvfajejfg = "cshzvkcpnzxfeivuk.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsliyrferqzzessjp.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qajvlugnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslhhawnpfhtwevysbmgz.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkypkypbyjgnloay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkypkypbyjgnloay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcupogbrshitvcsunvfy.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "vkypkypbyjgnloay.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshzvkcpnzxfeivuk.exe ."	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cshzvkcpnzxfeivuk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslhhawnpfhtwevysbmgz.exe"	xzsqxqazhjc.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cshzvkcpnzxfeivuk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcupogbrshitvcsunvfy.exe"	wchpbgo.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsliyrferqzzessjp.exe ."	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qajvlugnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshzvkcpnzxfeivuk.exe"	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe ."	xzsqxqazhjc.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qerhboeplvrxuwh = "cshzvkcpnzxfeivuk.exe ."	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkypkypbyjgnloay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsliyrferqzzessjp.exe ."	xzsqxqazhjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cshzvkcpnzxfeivuk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkypkypbyjgnloay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsliyrferqzzessjp.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qajvlugnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qajvlugnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsliyrferqzzessjp.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qajvlugnfld = "wofzxoixxllvwcrskra.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cshzvkcpnzxfeivuk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qerhboeplvrxuwh = "wofzxoixxllvwcrskra.exe ."	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nambugvfajejfg = "lcsliyrferqzzessjp.exe"	wchpbgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyivmwjrkrkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkypkypbyjgnloay.exe ."	wchpbgo.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

xzsqxqazhjc.exexzsqxqazhjc.exewchpbgo.exewchpbgo.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xzsqxqazhjc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wchpbgo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wchpbgo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xzsqxqazhjc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

57 whatismyip.everdot.org
68 whatismyipaddress.com
77 www.showmyipaddress.com

flow	ioc
57	whatismyip.everdot.org
68	whatismyipaddress.com
77	www.showmyipaddress.com

Drops file in System32 directory 32 IoCs

Processes:

wchpbgo.exexzsqxqazhjc.exexzsqxqazhjc.exewchpbgo.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cshzvkcpnzxfeivuk.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\pkebcwtlofivziaezjvqkh.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\jcupogbrshitvcsunvfy.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\vkypkypbyjgnloay.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\cshzvkcpnzxfeivuk.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\yslhhawnpfhtwevysbmgz.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\vkypkypbyjgnloay.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\wofzxoixxllvwcrskra.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\lcsliyrferqzzessjp.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\lcsliyrferqzzessjp.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\yslhhawnpfhtwevysbmgz.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\pkebcwtlofivziaezjvqkh.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\lcsliyrferqzzessjp.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\cshzvkcpnzxfeivuk.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\jcupogbrshitvcsunvfy.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\nambugvfajejfgqmzbfsetmynxsbwbxyiert.kwl	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\wofzxoixxllvwcrskra.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\pkebcwtlofivziaezjvqkh.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\wofzxoixxllvwcrskra.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\yslhhawnpfhtwevysbmgz.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\pkebcwtlofivziaezjvqkh.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\jcupogbrshitvcsunvfy.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\yslhhawnpfhtwevysbmgz.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\iklpxycbljtnyonyarkmnrzae.nlv	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\vkypkypbyjgnloay.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\lcsliyrferqzzessjp.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\cshzvkcpnzxfeivuk.exe	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\vkypkypbyjgnloay.exe	wchpbgo.exe
File created	C:\Windows\SysWOW64\nambugvfajejfgqmzbfsetmynxsbwbxyiert.kwl	wchpbgo.exe
File opened for modification	C:\Windows\SysWOW64\wofzxoixxllvwcrskra.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\SysWOW64\jcupogbrshitvcsunvfy.exe	wchpbgo.exe
File created	C:\Windows\SysWOW64\iklpxycbljtnyonyarkmnrzae.nlv	wchpbgo.exe

Drops file in Program Files directory 4 IoCs

Processes:

wchpbgo.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\nambugvfajejfgqmzbfsetmynxsbwbxyiert.kwl	wchpbgo.exe
File created	C:\Program Files (x86)\nambugvfajejfgqmzbfsetmynxsbwbxyiert.kwl	wchpbgo.exe
File opened for modification	C:\Program Files (x86)\iklpxycbljtnyonyarkmnrzae.nlv	wchpbgo.exe
File created	C:\Program Files (x86)\iklpxycbljtnyonyarkmnrzae.nlv	wchpbgo.exe

Drops file in Windows directory 26 IoCs

Processes:

wchpbgo.exewchpbgo.exexzsqxqazhjc.exexzsqxqazhjc.exe

description	ioc	process
File opened for modification	C:\Windows\cshzvkcpnzxfeivuk.exe	wchpbgo.exe
File opened for modification	C:\Windows\lcsliyrferqzzessjp.exe	wchpbgo.exe
File opened for modification	C:\Windows\wofzxoixxllvwcrskra.exe	wchpbgo.exe
File opened for modification	C:\Windows\wofzxoixxllvwcrskra.exe	wchpbgo.exe
File opened for modification	C:\Windows\yslhhawnpfhtwevysbmgz.exe	wchpbgo.exe
File opened for modification	C:\Windows\iklpxycbljtnyonyarkmnrzae.nlv	wchpbgo.exe
File opened for modification	C:\Windows\cshzvkcpnzxfeivuk.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\vkypkypbyjgnloay.exe	wchpbgo.exe
File opened for modification	C:\Windows\nambugvfajejfgqmzbfsetmynxsbwbxyiert.kwl	wchpbgo.exe
File opened for modification	C:\Windows\jcupogbrshitvcsunvfy.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\pkebcwtlofivziaezjvqkh.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\vkypkypbyjgnloay.exe	wchpbgo.exe
File opened for modification	C:\Windows\cshzvkcpnzxfeivuk.exe	wchpbgo.exe
File opened for modification	C:\Windows\lcsliyrferqzzessjp.exe	wchpbgo.exe
File created	C:\Windows\iklpxycbljtnyonyarkmnrzae.nlv	wchpbgo.exe
File opened for modification	C:\Windows\lcsliyrferqzzessjp.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\wofzxoixxllvwcrskra.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\vkypkypbyjgnloay.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\jcupogbrshitvcsunvfy.exe	wchpbgo.exe
File opened for modification	C:\Windows\jcupogbrshitvcsunvfy.exe	wchpbgo.exe
File created	C:\Windows\nambugvfajejfgqmzbfsetmynxsbwbxyiert.kwl	wchpbgo.exe
File opened for modification	C:\Windows\vkypkypbyjgnloay.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\yslhhawnpfhtwevysbmgz.exe	xzsqxqazhjc.exe
File opened for modification	C:\Windows\pkebcwtlofivziaezjvqkh.exe	wchpbgo.exe
File opened for modification	C:\Windows\yslhhawnpfhtwevysbmgz.exe	wchpbgo.exe
File opened for modification	C:\Windows\pkebcwtlofivziaezjvqkh.exe	wchpbgo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe

pid	process
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wchpbgo.exe

description pid process

Token: SeDebugPrivilege 1920 wchpbgo.exe

description	pid	process
Token: SeDebugPrivilege	1920	wchpbgo.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exexzsqxqazhjc.exe

description	pid	process	target process
PID 1352 wrote to memory of 3608	1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe	xzsqxqazhjc.exe
PID 1352 wrote to memory of 3608	1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe	xzsqxqazhjc.exe
PID 1352 wrote to memory of 3608	1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe	xzsqxqazhjc.exe
PID 3608 wrote to memory of 1920	3608	xzsqxqazhjc.exe	wchpbgo.exe
PID 3608 wrote to memory of 1920	3608	xzsqxqazhjc.exe	wchpbgo.exe
PID 3608 wrote to memory of 1920	3608	xzsqxqazhjc.exe	wchpbgo.exe
PID 3608 wrote to memory of 2768	3608	xzsqxqazhjc.exe	wchpbgo.exe
PID 3608 wrote to memory of 2768	3608	xzsqxqazhjc.exe	wchpbgo.exe
PID 3608 wrote to memory of 2768	3608	xzsqxqazhjc.exe	wchpbgo.exe
PID 1352 wrote to memory of 3616	1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe	xzsqxqazhjc.exe
PID 1352 wrote to memory of 3616	1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe	xzsqxqazhjc.exe
PID 1352 wrote to memory of 3616	1352	d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe	xzsqxqazhjc.exe

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

Processes:

xzsqxqazhjc.exewchpbgo.exewchpbgo.exexzsqxqazhjc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xzsqxqazhjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wchpbgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xzsqxqazhjc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wchpbgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wchpbgo.exe

C:\Users\Admin\AppData\Local\Temp\d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe
"C:\Users\Admin\AppData\Local\Temp\d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\xzsqxqazhjc.exe
"C:\Users\Admin\AppData\Local\Temp\xzsqxqazhjc.exe" "c:\users\admin\appdata\local\temp\d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe*"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3608

C:\Users\Admin\AppData\Local\Temp\wchpbgo.exe
"C:\Users\Admin\AppData\Local\Temp\wchpbgo.exe" "-C:\Users\Admin\AppData\Local\Temp\vkypkypbyjgnloay.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1920

C:\Users\Admin\AppData\Local\Temp\wchpbgo.exe
"C:\Users\Admin\AppData\Local\Temp\wchpbgo.exe" "-C:\Users\Admin\AppData\Local\Temp\vkypkypbyjgnloay.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2768

C:\Users\Admin\AppData\Local\Temp\xzsqxqazhjc.exe
"C:\Users\Admin\AppData\Local\Temp\xzsqxqazhjc.exe" "c:\users\admin\appdata\local\temp\d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cshzvkcpnzxfeivuk.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcupogbrshitvcsunvfy.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcsliyrferqzzessjp.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkebcwtlofivziaezjvqkh.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkypkypbyjgnloay.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wchpbgo.exe
Filesize
712KB

MD5
4922da3d22ff1c26819f6dc1e0dd2238

SHA1
8eaa3ac0e2d681d3fae64a53822202564d7a80cb

SHA256
32a4a7d8b0bf15bc7a904f1c2e284cb4deb2cfee3d2c88b4561f6f8a9e4ea070

SHA512
e4c809c9fabe3019df7c764d4c0432afc1c11ef79959331961f33e956e4a46cc37bfbd12ea001e275ea2e43e54577a47d55f5af2b0f5854a81c894c4e97da372

Download Submit
C:\Users\Admin\AppData\Local\Temp\wchpbgo.exe
Filesize
712KB

MD5
4922da3d22ff1c26819f6dc1e0dd2238

SHA1
8eaa3ac0e2d681d3fae64a53822202564d7a80cb

SHA256
32a4a7d8b0bf15bc7a904f1c2e284cb4deb2cfee3d2c88b4561f6f8a9e4ea070

SHA512
e4c809c9fabe3019df7c764d4c0432afc1c11ef79959331961f33e956e4a46cc37bfbd12ea001e275ea2e43e54577a47d55f5af2b0f5854a81c894c4e97da372

Download Submit
C:\Users\Admin\AppData\Local\Temp\wchpbgo.exe
Filesize
712KB

MD5
4922da3d22ff1c26819f6dc1e0dd2238

SHA1
8eaa3ac0e2d681d3fae64a53822202564d7a80cb

SHA256
32a4a7d8b0bf15bc7a904f1c2e284cb4deb2cfee3d2c88b4561f6f8a9e4ea070

SHA512
e4c809c9fabe3019df7c764d4c0432afc1c11ef79959331961f33e956e4a46cc37bfbd12ea001e275ea2e43e54577a47d55f5af2b0f5854a81c894c4e97da372

Download Submit
C:\Users\Admin\AppData\Local\Temp\wofzxoixxllvwcrskra.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzsqxqazhjc.exe
Filesize
320KB

MD5
8c024513b2f8632e054dcf61121c1454

SHA1
435e85d5cfa0960c8f559af947f6ca02776d714d

SHA256
066ad5f9137f17f13fd26058077b2f42cd01da62bfc784eecdbb33d22ed06df0

SHA512
38eb7c4b35b52982a3741da0c5abf9e10bc5961d7ac5ab69be04c286d2a3531e51814382dda613e22b731a3bde49727147a410a07e77477ae7de177f6b0ea273

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzsqxqazhjc.exe
Filesize
320KB

MD5
8c024513b2f8632e054dcf61121c1454

SHA1
435e85d5cfa0960c8f559af947f6ca02776d714d

SHA256
066ad5f9137f17f13fd26058077b2f42cd01da62bfc784eecdbb33d22ed06df0

SHA512
38eb7c4b35b52982a3741da0c5abf9e10bc5961d7ac5ab69be04c286d2a3531e51814382dda613e22b731a3bde49727147a410a07e77477ae7de177f6b0ea273

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzsqxqazhjc.exe
Filesize
320KB

MD5
8c024513b2f8632e054dcf61121c1454

SHA1
435e85d5cfa0960c8f559af947f6ca02776d714d

SHA256
066ad5f9137f17f13fd26058077b2f42cd01da62bfc784eecdbb33d22ed06df0

SHA512
38eb7c4b35b52982a3741da0c5abf9e10bc5961d7ac5ab69be04c286d2a3531e51814382dda613e22b731a3bde49727147a410a07e77477ae7de177f6b0ea273

Download Submit
C:\Users\Admin\AppData\Local\Temp\yslhhawnpfhtwevysbmgz.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\SysWOW64\cshzvkcpnzxfeivuk.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\SysWOW64\jcupogbrshitvcsunvfy.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\SysWOW64\lcsliyrferqzzessjp.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\SysWOW64\pkebcwtlofivziaezjvqkh.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\SysWOW64\vkypkypbyjgnloay.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\SysWOW64\wofzxoixxllvwcrskra.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\SysWOW64\yslhhawnpfhtwevysbmgz.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\cshzvkcpnzxfeivuk.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\cshzvkcpnzxfeivuk.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\cshzvkcpnzxfeivuk.exe
Filesize
128KB

MD5
00339fd45c0b16decf03f16a5abdb9d9

SHA1
6906bf2af6b5da3a45d634c5d6e9e95464c54094

SHA256
d60fcd7a9ec1bd62c8d31f551db7eb585f2cd159d691e12f62d4eca25a113cf9

SHA512
b5ba148efd8740c8eb13e89fdc688b363c226c6cc68c9695ab55fdb67cdc9274faa848333761a9b71e1e73d13c10bf57069916fb127600f79315aaf30a8842aa

Download Submit
C:\Windows\jcupogbrshitvcsunvfy.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\jcupogbrshitvcsunvfy.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\lcsliyrferqzzessjp.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\lcsliyrferqzzessjp.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\lcsliyrferqzzessjp.exe
Filesize
65KB

MD5
37358f038774f84b478b16fd8909539d

SHA1
8e962f7d9c9f3c64677d08b1fc728dd61c75158f

SHA256
7bd81afb4afa857f33c02f262c0023013a39a40cc48d9f754ac5a45c1fbcac4f

SHA512
b1e4775622ddc9d1bd94d9b75544835d1a917bc5d81cf1c7a4030063525418c6b0797eabee8b2b69eb9404b351752b54024fa2f5bf2f10016a10f21978e41159

Download Submit
C:\Windows\pkebcwtlofivziaezjvqkh.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\pkebcwtlofivziaezjvqkh.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\vkypkypbyjgnloay.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\vkypkypbyjgnloay.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\vkypkypbyjgnloay.exe
Filesize
512KB

MD5
d71dd64925a9a3828303253a2f65b4ba

SHA1
477bdc9126a19458a9a95d184d756a1755b8ae66

SHA256
9e4c571743268a3d1885959565437babd73ed31ab3c43beb9c8e5fd99cf68678

SHA512
0cf01da189bf89948e54e4e3439268e460c4febb5afedd715bfb7fa7489b8a7b6866e7ac24d8ddfab58f661f42a742cdb266297612c4cb66348695bf2a760f39

Download Submit
C:\Windows\wofzxoixxllvwcrskra.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\wofzxoixxllvwcrskra.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\yslhhawnpfhtwevysbmgz.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
C:\Windows\yslhhawnpfhtwevysbmgz.exe
Filesize
1016KB

MD5
4402b79a264a2159e792fe161ccdc510

SHA1
5a3f8dd7943dcbba109bc6f31b966197a817df6b

SHA256
d855ec4434551855a32c9e012b3346ce849a8f001b88064141e87c2027e9a671

SHA512
98bb70c3632714100c45de282cc88b442ed08ff7fc1e15254b2dfdeb6fbf89cc0a964b6e27ff60371cc058ea17541e13106334eb0876b7595cee281f001173bb

Download Submit
memory/1920-135-0x0000000000000000-mapping.dmp

Download
memory/2768-138-0x0000000000000000-mapping.dmp

Download
memory/3608-132-0x0000000000000000-mapping.dmp

Download
memory/3616-168-0x0000000000000000-mapping.dmp

Download